CVE-2026-41011

The CVE affects BOSH: all versions prior to v282.1.12 (inclusive). PackagePersister.validate_tgz constructs a tar command (tar -tf #{tgz}) using a name derived from release.MF without Shellwords.escape, and passes it to Bosh::Common::Exec.sh (via /bin/sh -c). The Models::Package validation runs a...

SUSE CVE-2026-7837

A time-of-check time-of-use TOCTOU condition in the adflush function in Netatalk 3.0.0 through 4.4.2 involves root-privileged file operations, which may allow a remote attacker to cause limited data modification under specific race conditions...

CVE-2026-42246

Net::IMAP (Ruby) versions before 0.3.10, 0.4.24, 0.5.14, and 0.6.4 are affected by a STARTTLS stripping issue. A man-in-the-middle attacker can cause Net::IMAP#starttls to report a successful TLS upgrade without actually enabling TLS, leaving the socket unencrypted. The vulnerability is mitigated...

CVE-2026-43459

A flaw was found in the Linux kernel's sound subsystem ASoC. When a sound card is unbound while an audio stream is active, a timing issue can lead to a use-after-free vulnerability. This occurs because certain resources are freed before all pending operations are completed. A local attacker could...

CVE-2026-41488

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's urltosize helper used by getnumtokensfrommessages for image token counting validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS...

CVE-2026-35353 uutils coreutils mkdir Permission Exposure Race Condition with -m

The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by creating a directory with umask-derived permissions typically 0755 before subsequently changing them to the requested mode via a separate chmod system call. In multi-user environments, this introduces ...

EUVD-2026-24498

Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat method uses a blocking channel send while holding a mutex, and under specific timin...

CVE-2026-29044

EVerest is an EV charging software stack. Prior to version 2026.02.0, when WithdrawAuthorization is processed before the TransactionStarted event, AuthHandler determines transactionactive=false and only calls withdrawauthorizationcallback. This path ultimately calls Charger::deauthorize, but no...

CVE-2026-32232

CVE-2026-32232 affects ZeptoClaw (pre-0.7.6). The vulnerability combines Dangling Symlink Component Bypass, TOCTOU Between Validation and Use, and Hardlink Alias Bypass, allowing workspace boundary bypass during path validation and subsequent I/O. The issue is fixed in 0.7.6. Affected behavior in...

Security Bulletin: Multiple Vulnerabilities in IBM Workload Scheduler component of IBM Workload Automation

Summary Multiple vulnerabilities were addressed in IBM Workload Scheduler component of IBM Workload Automation 10.1.0.5 and 10.2.3 Vulnerability Details CVEID:CVE-2023-32342 DESCRIPTION: IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel...

CoreDNS ACL Bypass

A logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use TOCTOU flaw. Impact In multi-tenant Kubernetes clusters, this...

CVE-2026-27610

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only use...

CVE-2025-61730 Handshake messages may be processed at the incorrect encryption level in crypto/tls

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries for instance the Client Hello and Encrypted Extensions messages, the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosu...

MiracleLinux 8 : java-11-openjdk-11.0.22.0.7-2.el8 (AXSA:2024-7445:04)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7445:04 advisory. OpenJDK: array out-of-bounds access due to missing range check in C1 compiler 8314468 CVE-2024-20918 OpenJDK: RSA padding issue and timing...

CVE-2023-40182

Silverware Games is a premium social network where people can play games online. When using the Recovery form, a noticeably different amount of time passes depending of whether the specified email address presents in our database or not. This has been fixed in version 1.3.7...

CVE-2020-7335

Privilege Escalation vulnerability in Microsoft Windows client McAfee Total Protection MTP prior to 16.0.29 allows local users to gain elevated privileges via careful manipulation of a folder by creating a junction link. This exploits a lack of protection through a timing issue and is only...

CVE-2025-11932

The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder...

EUVD-2021-1608

Malware in sbrugna...

EUVD-2007-3720

Malware in sbrugna...

EUVD-2009-2791

Malware in sbrugna...